Here is a patch which allows mod_ssl to read certificates and keys from a DB
file by creating two new directives, SSLCertificateDB and SSLCertificateKeyDB.
These directives take two arguments: the filename of the DB file to read from
and the key from in that DB file to use. I created this patch to help along my
server which is reading 1,000 certificate/key pairs.
The patch is designed to be most efficient when reading all keys and
certificates from the same database file, however any number of database files
may be specified. It is also coded so that the key and certificate may be read
from the same database key and only one database file lookup will be done.
The DB file reading code is setup to work with Berkley DB version one or two. I
simply stole the lookup code and the ConfigStart/ConfigEnd code from the
mod_auth_db.c standard Apache module. However, this conflicted with the SSL
session cache code which loaded the NDBM headers. I got it working by selecting
the internal hash of SDBM. I recommend that someone who knows what they are
doing work out a better solution here.
It is important to note that this patch generalizes the key/crt configuration
code. The sc->szPublicCertFile table has been replaced with a
sc->pPublicCertSource table of type ssl_source_t. (And sc->szPrivateKeyFile
with sc->pPrivateKeySource.) The ssl_source_t typedef is defined in mod_ssl.h
as follows:
typedef enum {
SSL_SOURCE_FILE = 0,
SSL_SOURCE_DB = 1
} ssl_source_type_t;
typedef struct {
char *szDataA;
char *szDataB;
ssl_source_type_t nType;
} ssl_source_t;
This easily allows others to come in and code other sources for grabbing
crt/keys... such as LDAP or whatever. IMO, this is a move in the right
direction.
Another note: The keys/crts are read into the database and then written into an
unlinked temporary file which is provided to OpenSSL for reading. This patch
re-uses the same temporary file for all of the key/crts, so I need to truncate
the file when I write new data to it. I could not find a way to truncate this
file without running a flush on it. It would be ideal to find a method which
sets up a FILE* structure which contains the crt/key data from the database
file without doing any disk writes. I don't know how to do this or if it can be
done.
- David Harris
Principal Engineer, DRH Internet Services
mod_ssl-2.3.5-1.3.6_dbfilecert-1.1.patch
